I am using Cloud IAP to protect APIs (on Google App Engine), and I'd like to access them from a JavaScript app in the browser.
The problem is: the browser tries to send a preflight OPTIONS request, which is blocked by IAP. As I cannot attach any Authorization header to OPTIONS, what is the solution?
Related
I have deployed an app in gcloud appengine. The main site is secured through a google managed certificate in app engine. However, after the authentication through auth0, the redirected url reviewresponse.beratics.com/dashboard is no more http secured although it has a certificate. That means I can change the url manually to https://reviewresponse.beratics.com/dashboard and it works. But it does not work automatically. What can I do, where is the problem? I have implemented pyopenssl and other measures such as talisman in python but the problem still persists. The backend is in flash, the app is on gcloud appengine flexible environment and the site is wordpress managed. The authentication to app works through auth0. All the callback Urls at Auth0 are with https. Thanks in advance!
I think this is what you are looking for, but App Engine has a secure flag in the app.yaml config which you can set to always which will redirect all http traffic to https. The details of this you can find here
Google Cloud app.yaml ref CTRL+F for 'secure'
As a possible workaround, GCE VM's allows custom firewall rules without any load balancer in front of them, in other words, you can use a GCE VM as a "proxy" setting a static IP blocking traffic over port 80 to then redirect to App Engine.
Also, I found this feature Request, as a kind recommendation you can start it in order that you receive further information about this.
I’ve created new application on App Engine (.net core app 2.1).
Authentication to my application is realized using Google's OAuth2.
When I go to my app I can see that the communication is secured using SSL. As far I know - communication to my app is going through load balancer (using HTTPS) and after it is forwarded to my application instance, it is using (HTTP- not secured protocol).
So If I would like to authenticate user in my application (by clicking to ‘Sign in with Google’) my app makes a request using http (not https). Because of that, when I go to https://accounts.google.com/signin/oauth... from my app, the ‘redirect uri’ is set automatically to http://mysite (not https). So after login, ‘google OAuth’ redirects me to http page.
From the user point of view, the request outgoes from https (secured), and after login he is on http page (not secured).
What can I do, to force my app to use https protocol also behind the load balancer?
Alternatively – can I go directly to my app skipping load balancer?
I am trying to setup cloud IAP for an application hosted in the Google cloud.
Logging in to the application works well via the web, and you are redirected to the Google authentication page, and redirected back to the website, with a session token set as a cookie.
Authenticating via a non-web interface, following the guide on programmatic authentication, trying both the command line way described there, and using the iOS SDK. In both cases, login works as it should, and I receive an id_token from the login process. BUT when I make an request like follows:
curl --verbose --header 'Authorization: Bearer ID_TOKEN' https://an-app.appspot.com/api/user
I ALWAYS receive the following response:
There was a problem with your request. Error code 13
It does not matter what the ID_TOKEN in the request is, the response is always Error code 13. If I do not specify the Authorization header, I am redirected to Google's login page.
Is there any setting or configuration I am missing?
TLDR;
The problem was a misconfiguration of the auth payload, in my case, it was the target audience that wasn't correct. Here's the appropriate format:
// this is the IAP client ID that can be obtained by clicking 3 dots -> Edit OAuth Client in IAP configuration page
const target_audience = "12345.apps.googleusercontent.com";
Details
I had the same problem, that I resolved using a mix between this post: How to authenticate google cloud functions for access to secure app engine endpoints And this Gist: https://gist.github.com/plmrry/f78136bba68f810622bc2840497ef7e1
I am configuring Alexa smart home skill for Authentication with my cloud under Account linking. As a part of configuration I need to give below two API endpoint of my cloud:
Authorization URL
Access Token URI
When I configure my cloud API endpoint which is serving on HTTP protocol it does not allow me to save and give me below error:
Error: A URL must be between 9 and 2000 characters.
But when I change URL from http to https it allow me to save. So I conclude it only requires endpoint serving on HTTPS.
Question: Is there a way to configure smart home skill with endpoint serving on HTTP protocol?
probleme when calling nodejs(localhost:3000)passport facebook stratrgy authentification from "another server" angular(localhost:8080).
XMLHttpRequest cannot load https:/www.facebook.com/dialog/oauth?response_type=code&redirect_uri=http%…%2Flocalhost%3A3000%2Fauth%2Ffacebook%2Fcallback&client_id=154021398315208. Redirect from 'https://www.facebook.com/dialog/oauth?response_type=code&redirect_uri=http%…%2Flocalhost%3A3000%2Fauth%2Ffacebook%2Fcallback&client_id=154021398315208' to 'https://www.facebook.com/login.php?skip_api_login=1&api_key=154021398315208…_&display=page&locale=en_US&logger_id=91549505-c21b-1176-243b-5cc5e73a788a' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.
This could be a couple of issues.
In your Facebook App settings you may have to authorize localhost as a valid App Domain.
Secondly, since your requests are cross domain you may have to tweak web security while in localhost.
The browser is blocking these requests since you are on one website, but calling API's on another. This is a simple way hackers hack your users so most browsers block it. Here's a quick tutorial on CORS.